CVE-2026-9245 Overview
CVE-2026-9245 is an open redirect vulnerability in Devolutions Server. The flaw resides in the external authentication provider flow, where improper input validation [CWE-601] allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain through a crafted login link. Successful exploitation requires user interaction, typically by tricking a user into clicking a malicious link that appears to originate from a trusted Devolutions Server instance.
Critical Impact
An unauthenticated attacker can craft a login link that redirects authenticated users to an attacker-controlled domain, enabling phishing and credential theft against Devolutions Server users.
Affected Products
- Devolutions Server versions 2026.1.6.0 through 2026.1.16.0
- Devolutions Server versions 2025.3.20.0 and earlier
- Component: devolutions:devolutions_server
Discovery Timeline
- 2026-05-22 - CVE-2026-9245 published to NVD
- 2026-05-22 - Last updated in NVD database
- Vendor advisory - Devolutions Security Advisory DEVO-2026-0013
Technical Details for CVE-2026-9245
Vulnerability Analysis
The vulnerability is classified as a URL redirection to untrusted site, commonly known as an open redirect [CWE-601]. The external authentication provider flow in Devolutions Server accepts a redirect parameter as part of the login process. The application fails to validate that the redirect destination points to a trusted domain before issuing the HTTP redirect.
An attacker constructs a login URL containing the legitimate Devolutions Server hostname combined with a redirect parameter pointing to an attacker-controlled domain. Because the initial host in the URL is legitimate, users and security controls are more likely to trust the link. After the authentication flow completes, the server redirects the browser to the attacker's destination.
The attack requires user interaction and operates over the network without authentication. Exploitation does not grant direct access to the Devolutions Server itself but enables effective phishing campaigns against its user base.
Root Cause
The external authentication provider flow does not enforce an allowlist of permitted redirect targets. Input validation on the redirect destination is missing or insufficient, allowing arbitrary absolute URLs to pass through to the final redirect response.
Attack Vector
The attacker crafts a URL referencing a vulnerable Devolutions Server endpoint with an embedded redirect parameter that targets an attacker-controlled domain. The attacker delivers the link through phishing email, chat, or another social engineering channel. When the victim clicks the link and proceeds through the authentication flow, the server redirects the browser to the attacker's site, which can mimic the Devolutions login page to harvest credentials or deliver malware. Refer to the Devolutions Security Advisory DEVO-2026-0013 for technical details.
Detection Methods for CVE-2026-9245
Indicators of Compromise
- Outbound HTTP 302 responses from Devolutions Server containing Location headers pointing to external, non-corporate domains.
- Inbound requests to Devolutions Server authentication endpoints containing redirect parameters with absolute URLs to unfamiliar hosts.
- User reports of Devolutions login links that briefly transit the production server before landing on a look-alike domain.
Detection Strategies
- Inspect web server and reverse proxy logs for authentication requests where the redirect parameter contains an absolute URL or a domain outside the organization's allowlist.
- Correlate referrer chains in proxy logs to identify sessions that originate at Devolutions Server and terminate on newly registered or low-reputation domains.
- Alert on phishing emails containing URLs that target the Devolutions Server hostname combined with embedded redirect parameters.
Monitoring Recommendations
- Enable verbose logging on the Devolutions Server external authentication endpoints and forward logs to a centralized SIEM.
- Monitor DNS resolution for newly observed domains accessed immediately after Devolutions Server authentication events.
- Track user-agent and source IP anomalies on authentication flows that include redirect parameters.
How to Mitigate CVE-2026-9245
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as published in Devolutions Security Advisory DEVO-2026-0013.
- Review authentication logs for suspicious redirect parameters since the affected versions were deployed.
- Notify Devolutions Server users about the risk of crafted login links and reinforce phishing awareness.
Patch Information
Devolutions has published a security advisory at DEVO-2026-0013 describing fixed versions. Administrators running Devolutions Server 2026.1.6.0 through 2026.1.16.0 or any release at or below 2025.3.20.0 must upgrade to a patched build.
Workarounds
- Restrict access to the Devolutions Server authentication endpoints to trusted networks or VPN segments until the patch is applied.
- Configure upstream web application firewall rules to block requests where the redirect parameter contains absolute URLs or hosts outside an explicit allowlist.
- Train users to verify the final destination of authentication links and to report unexpected redirects to the security team.
# Example WAF rule (ModSecurity) blocking external redirect targets
SecRule ARGS:returnUrl|ARGS:redirect|ARGS:ReturnUrl "@rx ^(https?:)?//(?!server\.example\.com)" \
"id:1009245,phase:2,deny,status:400,log,msg:'CVE-2026-9245 open redirect attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
